How to configure renewable tickets in Kerberos?
Issue
It does not seem possible to configure renewable tickets in MIT Kerberos.
The following options are set in /var/kerberos/krb5kdc/kdc.conf for 10 days renewable ticket.
[realms]
TEST.COM = {
master_key_type = des3-hmac-sha1
max_renewable_life = 10d 0h 0m 0s
default_principal_flags = +postdateable, +forwardable, +tgt-based, +renewable, +proxiable, +dup-skey, +allow-tickets, +service, +preauth
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
getprinc shows the correct value. (Maximum renewable life 10 days)
kadmin.local: getprinc user1
Principal: user1@TEST.COM
Expiration date: [never]
Last password change: Wed Dec 16 14:32:34 CET 2009
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 10 days 00:00:00
Last modified: Wed Dec 16 14:32:34 CET 2009 (root/admin@TEST.COM)
But after getting a ticket with kinit command klist does not show the correct value.
# date
Wed Dec 16 14:58:18 CET 2009# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: r.van.leeuwen@TEST.COMValid starting Expires Service principal
12/16/09 14:57:56 12/17/09 00:57:54 krbtgt/TEST.COM@TEST.COM
renew until 12/16/09 14:57:56
Environment
Red Hat Enterprise Linux 5.4
krb5-server-1.6.1-36.el5
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
